High-end business executives travelling in Asia are being targeted by a complex spying malware that is lurking in the Wi-Fi networks and business centres of their luxury hotels, the security firm Kaspersky Lab says.

In a new report, Kaspersky describes a sophisticated software package it calls Darkhotel, which tracks specific hotel guests but which has also been widely spread through file-sharing networks.

When transmitted through hotel Wi-Fi, the malware was deployed in such a precise way that the report concludes the attackers had to have access to check-in information such as the victim’s name, room number and expected arrival and departure times.

“The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay. This paints a dark, dangerous web in which unsuspecting travellers can easily fall,” the report said.

Who is behind it.

Without explicitly saying that the malware was deployed by a nation state, Kaspersky says it is not a run-of-the-mill malicious program.

In an interview, Kurt Baumgartner, principal security researcher at Kaspersky, said creating the malware would have required a well-financed, multiple-team effort by skilled hackers.

He noted that the creators had a good grasp of cryptography and “zero-days” or previously unknown software flaws. “These guys are very capable mathematically. As far as computer processing goes, this required some strong resources.”

The malware contains strings of characters written in Korean and one of its components is designed to disable itself if it encounters a machine where the default language is in Korean.

“It’s definitely a unique characteristic. It indicates something about the operators of the malware,” Mr. Baumgartner said.

Who the victims are.

A blog post from Kaspersky Lab researchers gave a more specific description of the malware’s targets: “CEOs, senior vice presidents, sales and marketing directors and top R&D staff.”

The victims worked in sectors such as defence industrial base, electronics manufacturing, investment capital and private equity, pharmaceuticals, law-enforcement and NGOs.

Kaspersky said its researchers visited some of the hotels and deployed a “honeypot” – a computer purposely left vulnerable to record hacking attempts – but it was not attacked by Darkhotel.

“This group of attackers seems to know in advance when these [targeted] individuals will arrive and depart from their high-end hotels. So, the attackers lay in wait until these travellers arrive and connect to the Internet,” the report said.

At the same time, Darkhotel propagated widely through peer-to-peer networks, hidden for example in a Japanese anime sex scene that’s downloadable in bittorrent.

Because of the peer-to-peer infections, the victims come mostly from Japan, Taiwan and China. However, it is harder to draw a portrait of the hotel victims, Mr. Baumgartner said.

Darkhotel is also spread through phishing – bogus e-mails mentioning topics such as “nuclear energy and weaponry capabilities” as a lure.

State–of-the-art package.

The first element of the malware to attack a traveller’s laptop is a Trojan virus, which pretends to be a new release of a popular computer tool such as GoogleToolbar, Adobe Flash or Windows Messenger, prompting hotel guests to install software updates.

Once the Trojan has breached the computer, it creates a backdoor access and sneaks in a suite of malicious spying modules inside the victim’s machine.

One of the tools the malware implants is a keylogger – a program that records every keystroke typed by the victim.

Darkhotel’s keylogger, which Kaspersky described as “clean, well-written” is scripted in a mix of English and Korean.

The keylogger operates at the kernel level, meaning it runs inside the central component of the victim’s computer operating system. This makes it more reliable and harder to detect, but it also requires a more labour-intensive, higher-skilled level of hacking, Mr. Baumgartner noted.

“Kernel-level keyloggers are not a trival component to create. They’re very difficult to write and to test,” he said.

The Darkhotel malware toolset also includes an information-stealer, a module that can nab passwords, e-mail and browser credentials and other log-in information.

This module is designed to remove itself if it detects that the default language is Korean.

In another unusual feature, after the initial breach, the malware can go dormant for up to six months before it tries to contact a remote control server.

Mr. Baumgartner said this feature enables Darkhotel to evade any examination by IT upon the victim’s return from a trip to Asia.

What happens next.

Kaspersky is working with law-enforcement and corporate victims to investigate the malware further.

Mr. Baumgartner said he did not expect the attackers to shut down their malware and lay low for a while, following the release of the Kaspersky report.

“We’re in the middle of the investigation. It keeps growing. There’s other parts of the world we haven’t completely examined yet. We have strong suspicions other regions of the world had the same problem.”

Topics

Next story

| Learn More

Discover content from The Globe and Mail that you might otherwise not have come across. Here we’ll provide you with fresh suggestions where we will continue to make even better ones as we get to know you better.

Restrictions

All rights reserved. Republication or redistribution of Thomson Reuters content, including by framing or similar means, is prohibited without the prior written consent of Thomson Reuters. Thomson Reuters is not liable for any errors or delays in Thomson Reuters content, or for any actions taken in reliance on such content. ‘Thomson Reuters’ and the Thomson Reuters logo are trademarks of Thomson Reuters and its affiliated companies.